I have a Kubernetes Deployment of my Spring Boot application where I used to update global Java cacerts using keytool at the bootstrap:
keytool -noprompt -import -trustcacerts -cacerts -alias $ALIAS -storepass $PASSWORD
However, I need to make the container immutable using the readOnlyRootFilesystem: true in the securityContext of the image in my Deployment. Therefore, I cannot update the cacert like that with additional certificates to be trusted.
Additional certificates that should be trusted are provided as environment variable CERTS.
I assume that the only proper way would be to do this programmatically, for example during @PostConstruct in the Spring Boot component.
I was looking into some examples how to set the global truststore in code, but all of them refer to update the cacerts and then save it to filesystem, which does not work for me.
Some examples use System.setProperty("javax.net.ssl.trustStore", fileName);, but this does not work either on the read-only filesystem, where I cannot update file.
Another examples suggest to use X509TrustManager, but if I understood correctly, this does not work globally.
Is there any way in Java or Spring Boot to update global truststore in general programmatically so every operation in the code will use and I do not have to implement something like TrustManager to every connection? My goal is to have it imported at the begging (similar like it is done using shell and keytool). Without touching the filesystem, as it is read-only.
